1 00:00:02,790 --> 00:00:04,200 i'm dr mike murphy 2 00:00:07,890 --> 00:00:09,750 in this lecture i'm going to discuss 3 00:00:09,750 --> 00:00:13,020 spoliation particularly as it applies to digital 4 00:00:13,020 --> 00:00:13,830 forensics 5 00:00:14,940 --> 00:00:17,640 the spoliation is a legal concept and 6 00:00:17,640 --> 00:00:19,020 i must start with a disclaimer that 7 00:00:19,020 --> 00:00:21,810 i'm not a lawyer this presentation is 8 00:00:21,810 --> 00:00:24,210 based upon research into laws and cases 9 00:00:24,210 --> 00:00:26,100 applicable in the state of south carolina 10 00:00:26,100 --> 00:00:28,620 united states of america for the purpose 11 00:00:28,620 --> 00:00:31,470 of studying digital forensics laws and legal 12 00:00:31,470 --> 00:00:35,040 practices vary from jurisdiction to jurisdiction cases 13 00:00:35,040 --> 00:00:36,930 law within the united states can change 14 00:00:36,930 --> 00:00:40,320 or invalidate existing statutes and legislatures can 15 00:00:40,320 --> 00:00:43,200 repeal or enact new statutes this lecture 16 00:00:43,200 --> 00:00:44,520 may not be accurate by the time 17 00:00:44,520 --> 00:00:46,380 you view it no part of this 18 00:00:46,380 --> 00:00:49,650 lecture constitutes legal advice consult an attorney 19 00:00:49,650 --> 00:00:51,030 if you have legal questions 20 00:00:53,100 --> 00:00:54,052 alright so what i'm going to do 21 00:00:54,060 --> 00:00:55,380 is i'm gonna go over the definition 22 00:00:55,380 --> 00:00:57,300 of spoliation and again this is for 23 00:00:57,300 --> 00:00:59,610 a a non lawyer for a forensic 24 00:00:59,610 --> 00:01:02,730 analyst to understand i talk about the 25 00:01:02,730 --> 00:01:05,040 effects of spoliation on civil and criminal 26 00:01:05,040 --> 00:01:08,640 cases discuss how we can avoid spoliation 27 00:01:08,640 --> 00:01:10,020 at least to the extent possible in 28 00:01:10,020 --> 00:01:12,240 digital forensics does 29 00:01:12,240 --> 00:01:14,910 discuss methods for detecting in obligations for 30 00:01:14,910 --> 00:01:18,090 reporting spoliation and go over a few 31 00:01:18,090 --> 00:01:19,500 ethical considerations 32 00:01:22,290 --> 00:01:25,950 so what a spoliation well in west 33 00:01:25,950 --> 00:01:27,870 v goodyear nineteen ninety nine which was 34 00:01:27,876 --> 00:01:31,530 a supreme court case the court said 35 00:01:31,530 --> 00:01:34,260 that spoliation is the destruction or significant 36 00:01:34,260 --> 00:01:36,960 alteration of evidence or the failure to 37 00:01:36,960 --> 00:01:39,690 preserve property for another's use as evidence 38 00:01:39,720 --> 00:01:40,800 in pending or 39 00:01:40,830 --> 00:01:44,850 or reasonably foreseeable litigation litigation in this 40 00:01:44,850 --> 00:01:46,470 case meaning any court case 41 00:01:47,910 --> 00:01:50,460 now while intentional spoliation in other words 42 00:01:50,460 --> 00:01:53,250 going and intentionally destroying or altering evidence 43 00:01:53,280 --> 00:01:56,550 is inherently unethical and is obviously to 44 00:01:56,550 --> 00:01:59,160 be avoided it's equally important that we 45 00:01:59,160 --> 00:02:01,770 avoid unintentional spoliation which is what the 46 00:02:01,770 --> 00:02:04,860 courts called negligent spoliation he didn't mean 47 00:02:04,860 --> 00:02:06,900 to change the evidence but she did 48 00:02:07,380 --> 00:02:07,680 that 49 00:02:07,680 --> 00:02:08,940 is considered negligence 50 00:02:10,590 --> 00:02:13,290 the party that's causing spoliation in other 51 00:02:13,290 --> 00:02:14,970 words the one that makes a change 52 00:02:15,000 --> 00:02:17,070 to the evidence or destroy something is 53 00:02:17,070 --> 00:02:17,970 called the spoliation 54 00:02:20,130 --> 00:02:23,160 alright in civil cases spoliation is pretty 55 00:02:23,160 --> 00:02:25,770 cut and dry eye in state level 56 00:02:25,770 --> 00:02:28,620 cases the spoliation is typically sanctioned and 57 00:02:28,620 --> 00:02:31,650 the sanctions do vary by state interestingly 58 00:02:31,650 --> 00:02:34,080 the source indicates that south carolina really 59 00:02:34,080 --> 00:02:36,240 doesn't have much case law or anything 60 00:02:36,600 --> 00:02:39,090 specific on the books regarding spoliation 61 00:02:39,780 --> 00:02:42,210 i the federal level though it's a 62 00:02:42,210 --> 00:02:44,760 lot more cut and dry particularly when 63 00:02:44,760 --> 00:02:47,280 it comes to electronically stored information which 64 00:02:47,280 --> 00:02:48,990 is going to be basically anything that's 65 00:02:48,990 --> 00:02:50,460 digital forensic evidence 66 00:02:52,290 --> 00:02:54,840 if the spoliation is negligent it results 67 00:02:54,840 --> 00:02:56,910 in prejudice against the spoliation what that 68 00:02:56,910 --> 00:03:01,110 means is that the judge can effectively 69 00:03:01,110 --> 00:03:03,360 instruct the jury or if the judge 70 00:03:03,362 --> 00:03:04,920 to bench trial the judge can make 71 00:03:04,920 --> 00:03:06,420 this prejudicial 72 00:03:07,535 --> 00:03:09,510 judgement on his own or her own 73 00:03:10,590 --> 00:03:11,910 but the idea is 74 00:03:13,260 --> 00:03:17,160 that if one party spoliation evidence the 75 00:03:17,160 --> 00:03:19,620 judge can instruct the jury that 76 00:03:20,670 --> 00:03:23,460 the other party could infer that whatever 77 00:03:23,460 --> 00:03:25,830 evidence was foliated was detrimental to the 78 00:03:25,830 --> 00:03:27,030 party that's foliated it 79 00:03:28,170 --> 00:03:31,470 there's other types of of remedies there 80 00:03:31,470 --> 00:03:33,570 with prejudice that can occur including a 81 00:03:33,570 --> 00:03:35,580 dismissal of the case and so forth 82 00:03:35,910 --> 00:03:37,950 depending on the circumstances depending on the 83 00:03:37,950 --> 00:03:40,950 situation but generally speaking this foliate or 84 00:03:41,700 --> 00:03:43,920 gets the raw end of the deal 85 00:03:43,920 --> 00:03:46,260 so to speak i if the spoliation 86 00:03:46,260 --> 00:03:47,880 is discovered and and the court makes 87 00:03:47,880 --> 00:03:48,240 that re 88 00:03:48,240 --> 00:03:50,310 ruling and this is federal law rule 89 00:03:50,310 --> 00:03:51,960 of civil procedure thirty seven 90 00:03:53,760 --> 00:03:57,840 now intentional spoliation results in an immediate 91 00:03:57,840 --> 00:04:00,090 presumption that the evidence was unfavorable to 92 00:04:00,090 --> 00:04:02,460 the spoleto and it may result in 93 00:04:02,460 --> 00:04:04,050 a default judgment in favor of the 94 00:04:04,050 --> 00:04:06,840 opposite party so if evidence has been 95 00:04:06,840 --> 00:04:10,020 spoliation in a civil case and the 96 00:04:10,020 --> 00:04:13,020 court rules that spoliation has occurred that 97 00:04:13,020 --> 00:04:13,200 can 98 00:04:13,230 --> 00:04:16,709 be immediately detrimental to the spoleto whichever 99 00:04:16,709 --> 00:04:18,329 party did it and of course the 100 00:04:18,329 --> 00:04:20,370 plaintiff or the defendant could slowly add 101 00:04:20,370 --> 00:04:22,980 evidence because discovery in civil cases is 102 00:04:22,980 --> 00:04:25,710 normally two ways and so there's there's 103 00:04:25,710 --> 00:04:29,010 all kinds of opportunities so civil cases 104 00:04:29,190 --> 00:04:32,880 pretty simple spoliation bad unless of course 105 00:04:32,910 --> 00:04:33,360 it's the 106 00:04:33,360 --> 00:04:36,120 the other party that did the spoliation 107 00:04:36,120 --> 00:04:37,650 from the party that you're representing in 108 00:04:37,650 --> 00:04:39,450 which case spoliation good because it helps 109 00:04:39,450 --> 00:04:42,000 your case criminal cases aren't so cut 110 00:04:42,000 --> 00:04:44,130 and dry though and the reason they're 111 00:04:44,130 --> 00:04:46,260 not so cut and dry is because 112 00:04:46,260 --> 00:04:48,060 of a different series of supreme court 113 00:04:48,060 --> 00:04:51,420 cases now in nineteen sixty three the 114 00:04:51,420 --> 00:04:53,520 brady the maryland case a stab 115 00:04:53,520 --> 00:04:57,240 polish that suppression of exculpatory evidence violates 116 00:04:57,240 --> 00:04:59,490 a defendant's right to due process and 117 00:04:59,490 --> 00:05:00,900 it's not a stretch to say that 118 00:05:00,900 --> 00:05:02,670 it would include spoliation because if you 119 00:05:02,670 --> 00:05:05,760 destroy evidence that is exculpatory you have 120 00:05:06,030 --> 00:05:08,160 suppressed in other words it hasn't been 121 00:05:08,160 --> 00:05:11,040 turned over to the defense so that 122 00:05:11,040 --> 00:05:12,330 could be an issue and of course 123 00:05:12,330 --> 00:05:13,680 the criminal cases were looking at sp 124 00:05:13,680 --> 00:05:16,590 foliation generally speaking it's not going to 125 00:05:16,590 --> 00:05:18,300 be the defendant that is doing the 126 00:05:18,300 --> 00:05:22,320 spoliation because the evidence should be properly 127 00:05:22,320 --> 00:05:24,810 in the custody of the prosecution or 128 00:05:24,810 --> 00:05:26,970 the police who are you know part 129 00:05:26,970 --> 00:05:29,700 of the prosecution so you really should 130 00:05:29,700 --> 00:05:32,760 not have a situation in which the 131 00:05:32,760 --> 00:05:33,840 defendant is so 132 00:05:33,840 --> 00:05:35,610 deleting evidence in a criminal case at 133 00:05:35,610 --> 00:05:36,900 least not that i can think of 134 00:05:37,200 --> 00:05:39,030 i'm sure somewhere out there some lawyer 135 00:05:39,030 --> 00:05:41,070 can give me a counter example but 136 00:05:41,070 --> 00:05:42,900 i'm just going with the kind of 137 00:05:42,900 --> 00:05:44,820 the law the non lawyer what makes 138 00:05:44,820 --> 00:05:45,780 sense approach here 139 00:05:46,800 --> 00:05:47,169 i 140 00:05:49,500 --> 00:05:51,510 fast forward another twenty five years or 141 00:05:51,510 --> 00:05:54,480 so and the arizona the young blood 142 00:05:54,480 --> 00:05:55,860 case this one was a little bit 143 00:05:55,860 --> 00:05:58,980 interesting and the crux of this case 144 00:05:59,280 --> 00:06:02,430 to quote from the the actual supreme 145 00:06:02,430 --> 00:06:03,270 court decision 146 00:06:04,350 --> 00:06:05,070 is 147 00:06:06,270 --> 00:06:08,790 that we think that requiring a defendant 148 00:06:08,790 --> 00:06:10,440 to show bad faith on the part 149 00:06:10,440 --> 00:06:12,300 of the police both limits the extent 150 00:06:12,300 --> 00:06:14,610 of the police's obligation to preserve evidence 151 00:06:14,610 --> 00:06:17,130 to reasonable bounds and confines it to 152 00:06:17,130 --> 00:06:19,020 that class of cases where the interests 153 00:06:19,020 --> 00:06:21,660 of justice most clearly require it i 154 00:06:21,660 --> 00:06:23,760 e those cases in which the police 155 00:06:23,760 --> 00:06:26,250 themselves by their conduct indicate that the 156 00:06:26,250 --> 00:06:26,400 f 157 00:06:26,400 --> 00:06:28,830 evidence could form a basis for exonerating 158 00:06:28,830 --> 00:06:32,190 the defendant so basically this court case 159 00:06:32,640 --> 00:06:33,810 ruled that 160 00:06:35,070 --> 00:06:37,950 spoliation of non brady evidence in other 161 00:06:37,950 --> 00:06:41,820 words evidence that was not obviously or 162 00:06:42,510 --> 00:06:45,420 you know potential well not obviously exculpatory 163 00:06:45,420 --> 00:06:46,890 potentially exculpatory is kind of in a 164 00:06:46,890 --> 00:06:48,960 gray area between there but evidence that 165 00:06:48,960 --> 00:06:53,790 was non obviously exculpatory if that evidence 166 00:06:53,790 --> 00:06:55,200 was foliated it would 167 00:06:55,230 --> 00:06:58,260 only to violate the defendant's due process 168 00:06:58,260 --> 00:07:01,770 rights if the spoliation occurred in as 169 00:07:01,770 --> 00:07:03,810 a result of intentional spoliation other words 170 00:07:03,810 --> 00:07:06,120 the police acting in bad faith and 171 00:07:06,120 --> 00:07:08,280 the whole idea here was this reasonable 172 00:07:08,280 --> 00:07:11,490 bounds of preserving the evidence and evidence 173 00:07:11,490 --> 00:07:13,560 physical evidence which is what was at 174 00:07:13,560 --> 00:07:15,360 issue in this case takes 175 00:07:15,390 --> 00:07:18,180 up space and trying to store that 176 00:07:18,210 --> 00:07:23,460 indefinitely is not exactly practical right so 177 00:07:23,760 --> 00:07:25,110 there had to be some sort of 178 00:07:25,110 --> 00:07:28,980 balance between what could be stored for 179 00:07:28,980 --> 00:07:30,930 long term use and a court case 180 00:07:31,260 --> 00:07:34,200 versus what you what didn't need to 181 00:07:34,200 --> 00:07:34,770 be stored 182 00:07:35,640 --> 00:07:36,840 now to give you some background on 183 00:07:36,840 --> 00:07:39,210 the case i just kind of giving 184 00:07:39,210 --> 00:07:41,970 the the syllabus here at the very 185 00:07:41,970 --> 00:07:43,920 top of the case the victim a 186 00:07:43,920 --> 00:07:45,600 ten year old boy was molested and 187 00:07:45,600 --> 00:07:47,520 sodomized by a middle aged man for 188 00:07:47,520 --> 00:07:49,680 one and a half hours after the 189 00:07:49,680 --> 00:07:51,570 assault the boy was taken to hospital 190 00:07:51,570 --> 00:07:53,160 where a physician used a swab from 191 00:07:53,160 --> 00:07:55,590 a quote sexual assault kit unquote 192 00:07:55,860 --> 00:07:57,420 to collect semen samples from the boy's 193 00:07:57,420 --> 00:07:59,940 rectum the police also collected the boys' 194 00:07:59,940 --> 00:08:03,180 clothing which they failed to refrigerate a 195 00:08:03,180 --> 00:08:05,970 police criminologist later performed some tests on 196 00:08:05,970 --> 00:08:07,620 the rectal swab in the boys' clothing 197 00:08:07,950 --> 00:08:10,200 but he was unable to obtain information 198 00:08:10,200 --> 00:08:11,940 about the identity of the boys boy's 199 00:08:11,940 --> 00:08:15,510 assailant at trial expert witnesses testified that 200 00:08:15,510 --> 00:08:15,840 the reason 201 00:08:15,840 --> 00:08:17,910 fondant who in this case would have 202 00:08:17,910 --> 00:08:18,600 been young blood 203 00:08:22,500 --> 00:08:25,200 might have been completely exonerated by timely 204 00:08:25,200 --> 00:08:28,110 performance of tests on the properly preserved 205 00:08:28,140 --> 00:08:30,840 semen samples respondent was convicted of child 206 00:08:30,840 --> 00:08:33,570 molestation sexual assault and kidnapping in arizona 207 00:08:33,570 --> 00:08:36,090 state court the arizona court of repeal 208 00:08:36,150 --> 00:08:38,669 of appeals reversed the decision on the 209 00:08:38,669 --> 00:08:39,840 ground that the state had br 210 00:08:39,840 --> 00:08:41,880 reached a constitutional duty to preserve the 211 00:08:41,880 --> 00:08:44,580 semen samples from the victim's body and 212 00:08:44,580 --> 00:08:48,690 clothing and basically these united states supreme 213 00:08:48,690 --> 00:08:51,900 court reversed the arizona court of appeals 214 00:08:51,900 --> 00:08:53,520 and said no the police did not 215 00:08:53,520 --> 00:08:57,150 have to preserve this evidence now turns 216 00:08:57,150 --> 00:08:58,590 out this wasn't one of the supreme 217 00:08:58,590 --> 00:08:59,970 court's better decisions 218 00:09:00,330 --> 00:09:02,550 because it turned out in two thousand 219 00:09:02,550 --> 00:09:04,500 when new dna tests were available that 220 00:09:04,560 --> 00:09:06,300 were not available in nineteen eighty eight 221 00:09:06,870 --> 00:09:09,930 they retested the evidence even though it 222 00:09:09,930 --> 00:09:12,180 had degraded and they were actually able 223 00:09:12,180 --> 00:09:15,090 to conclusively determine that young blood i 224 00:09:15,360 --> 00:09:17,220 did not commit the crime he had 225 00:09:17,220 --> 00:09:19,470 been sitting in prison for all those 226 00:09:19,470 --> 00:09:20,160 years 227 00:09:20,340 --> 00:09:22,200 and was innocent and in fact the 228 00:09:22,200 --> 00:09:24,570 person who did commit the crime was 229 00:09:24,570 --> 00:09:26,220 sitting in another prison for a different 230 00:09:26,220 --> 00:09:30,240 crime and was then convicted of this 231 00:09:30,240 --> 00:09:32,370 crime so i 232 00:09:34,080 --> 00:09:36,570 this idea that the police have to 233 00:09:36,570 --> 00:09:39,030 act in bad faith despoliation evidence if 234 00:09:39,030 --> 00:09:41,580 it's non brady evidence to violate due 235 00:09:41,580 --> 00:09:44,310 process rights is a little bit interesting 236 00:09:44,640 --> 00:09:47,340 gay and it's all contingent upon this 237 00:09:47,340 --> 00:09:49,440 reasoning that hey the police can't store 238 00:09:49,440 --> 00:09:50,520 everything forever 239 00:09:52,980 --> 00:09:55,290 keep that in mind for second all 240 00:09:55,290 --> 00:09:56,700 right so we go to united states 241 00:09:56,700 --> 00:09:58,710 v suarez this is not a supreme 242 00:09:58,710 --> 00:10:00,270 court case this was a twenty ten 243 00:10:00,270 --> 00:10:02,550 case in district court in new jersey 244 00:10:02,940 --> 00:10:05,610 that in fact wasn't even published but 245 00:10:05,610 --> 00:10:08,280 a lawyer and it's in that may 246 00:10:10,115 --> 00:10:12,065 citations at the end but i i 247 00:10:12,155 --> 00:10:14,825 a an attorney's office who had an 248 00:10:14,825 --> 00:10:16,955 interest in these types of cases actually 249 00:10:17,345 --> 00:10:18,635 i guess must have done the freedom 250 00:10:18,635 --> 00:10:20,788 of information act requests and then published 251 00:10:20,788 --> 00:10:21,125 the 252 00:10:22,835 --> 00:10:26,135 published the case but the district court 253 00:10:26,825 --> 00:10:28,775 in a case a criminal case involving 254 00:10:28,775 --> 00:10:29,645 the f b i 255 00:10:31,235 --> 00:10:34,415 actually chose to apply the civil procedure 256 00:10:34,415 --> 00:10:37,055 rules to the criminal case because the 257 00:10:37,055 --> 00:10:39,845 f b i had basically dropped the 258 00:10:39,845 --> 00:10:42,065 ball and failed to preserve some text 259 00:10:42,065 --> 00:10:44,945 him messages that while they might not 260 00:10:44,945 --> 00:10:47,405 have been straight up exculpatory might have 261 00:10:47,405 --> 00:10:50,075 been useful to the defence and in 262 00:10:50,075 --> 00:10:50,915 this case the 263 00:10:50,915 --> 00:10:53,225 the court actually gave the jury adverse 264 00:10:53,225 --> 00:10:55,565 inference instructions in other words told the 265 00:10:55,565 --> 00:10:57,785 jury hey the f b i lost 266 00:10:57,785 --> 00:11:00,815 these text messages you can assume that 267 00:11:00,815 --> 00:11:02,615 it didn't help their case and i 268 00:11:02,615 --> 00:11:03,845 don't actually know what the outcome of 269 00:11:03,845 --> 00:11:05,765 the case was cause i didn't look 270 00:11:05,765 --> 00:11:07,835 that far and this isn't a precedential 271 00:11:07,835 --> 00:11:09,485 case so in a lot of respects 272 00:11:09,485 --> 00:11:11,045 it doesn't even matter only a 273 00:11:11,075 --> 00:11:12,905 pellet and supreme court cases are really 274 00:11:12,905 --> 00:11:16,565 that important but it does raise some 275 00:11:16,565 --> 00:11:19,925 interesting questions about how future court cases 276 00:11:19,925 --> 00:11:21,515 are going to handle lost or spoleto 277 00:11:21,545 --> 00:11:23,825 evidence particularly when it comes to digital 278 00:11:23,825 --> 00:11:25,895 evidence and i'll get back to this 279 00:11:25,895 --> 00:11:26,885 idea here in a minute 280 00:11:28,775 --> 00:11:30,935 so let's look at what could occur 281 00:11:32,615 --> 00:11:35,735 well let's say that you're working for 282 00:11:35,735 --> 00:11:38,615 the prosecution your forensic examiner for the 283 00:11:38,765 --> 00:11:40,445 the state or the us government 284 00:11:41,585 --> 00:11:44,975 and some evidence gets foliated but it 285 00:11:44,975 --> 00:11:46,595 wasn't a bad faith spoliation 286 00:11:48,035 --> 00:11:49,265 there's all kinds of things that could 287 00:11:49,265 --> 00:11:49,565 happen 288 00:11:50,765 --> 00:11:52,535 while one thing could happen the trial 289 00:11:52,535 --> 00:11:54,845 judge might decide to suppress or disqualify 290 00:11:54,845 --> 00:11:57,245 the evidence in which case the evidence 291 00:11:57,245 --> 00:11:58,445 becomes useless in court 292 00:11:59,855 --> 00:12:01,295 but if the judge doesn't do that 293 00:12:02,765 --> 00:12:05,075 the defense might still be able to 294 00:12:05,075 --> 00:12:07,205 raise issues of reasonable doubt about the 295 00:12:07,205 --> 00:12:08,975 quality of the investigation i mean hey 296 00:12:08,975 --> 00:12:11,495 look you spoleto the evidence why should 297 00:12:11,495 --> 00:12:12,995 we trust any of the other conclusions 298 00:12:12,995 --> 00:12:13,355 you made 299 00:12:15,245 --> 00:12:17,885 and even if that doesn't work and 300 00:12:17,885 --> 00:12:19,775 the defendant is still convicted 301 00:12:21,275 --> 00:12:23,285 questions about that evidence and whether it 302 00:12:23,285 --> 00:12:25,745 should have been admitted or not can 303 00:12:25,745 --> 00:12:28,775 raise quote can can basically raise grounds 304 00:12:28,775 --> 00:12:30,695 for an appeal or reversible error at 305 00:12:30,695 --> 00:12:33,035 the lower court and there could be 306 00:12:33,035 --> 00:12:35,585 an overturning of the conviction and even 307 00:12:35,585 --> 00:12:37,985 if none of the above occurs sooner 308 00:12:37,985 --> 00:12:40,505 or later the supreme court might actually 309 00:12:40,505 --> 00:12:41,075 reverse them 310 00:12:41,105 --> 00:12:42,875 selves and the young blood case at 311 00:12:42,875 --> 00:12:45,155 least for digital evidence in this goes 312 00:12:45,155 --> 00:12:46,268 back to the thing i told you 313 00:12:46,268 --> 00:12:48,335 to remember from a minute ago they 314 00:12:48,335 --> 00:12:51,665 were preserving clothing they're preserving a piece 315 00:12:51,665 --> 00:12:53,285 of physical evidence that had to be 316 00:12:53,285 --> 00:12:54,095 stored somewhere 317 00:12:55,985 --> 00:12:58,085 the cost of preserving that type of 318 00:12:58,085 --> 00:12:59,885 evidence particularly if you need to preserve 319 00:12:59,885 --> 00:13:03,335 it under refrigeration gets extremely high extremely 320 00:13:03,335 --> 00:13:03,815 quickly 321 00:13:05,495 --> 00:13:08,375 with digital evidence though the opposite is 322 00:13:08,375 --> 00:13:11,615 true in some respects at least because 323 00:13:11,615 --> 00:13:15,185 the cost per byte or per gigabyte 324 00:13:15,185 --> 00:13:17,495 or today we measure per terabyte of 325 00:13:17,495 --> 00:13:20,975 storage goes down over time 326 00:13:22,445 --> 00:13:25,565 so for digital evidence it's a little 327 00:13:25,565 --> 00:13:28,145 bit harder i think you know again 328 00:13:28,205 --> 00:13:30,455 thinking about this as a non attorney 329 00:13:30,455 --> 00:13:31,835 just looking at this from a common 330 00:13:31,835 --> 00:13:34,415 sense perspective it's a little harder to 331 00:13:34,415 --> 00:13:36,035 make the case that hey it's you 332 00:13:36,035 --> 00:13:37,985 know it's just series is too expensive 333 00:13:37,985 --> 00:13:39,905 to store that extra hundred megabytes of 334 00:13:39,905 --> 00:13:42,154 data know you could store that extra 335 00:13:42,155 --> 00:13:42,275 hunt 336 00:13:42,275 --> 00:13:45,455 the megabytes of data easily long-term on 337 00:13:45,455 --> 00:13:48,605 tape for cheap so there's really no 338 00:13:49,535 --> 00:13:52,805 good reason from a technical perspective looking 339 00:13:52,805 --> 00:13:54,485 at this now as a computer scientist 340 00:13:54,485 --> 00:13:57,995 which i am there's no good point 341 00:13:58,355 --> 00:14:00,485 no good technical argument that i can 342 00:14:00,485 --> 00:14:02,435 make for why you wouldn't pay 343 00:14:02,435 --> 00:14:05,615 preserve digital evidence until the case was 344 00:14:05,615 --> 00:14:09,335 completely finished k there's there's just no 345 00:14:09,335 --> 00:14:13,625 reason so this could be a you 346 00:14:13,625 --> 00:14:14,975 know this this could be something that 347 00:14:14,975 --> 00:14:16,835 you have to think about long term 348 00:14:16,835 --> 00:14:18,305 if you're working in this field 349 00:14:20,405 --> 00:14:22,055 the best rule of thumb is just 350 00:14:22,055 --> 00:14:26,345 avoid spoliation altogether so follow best practices 351 00:14:26,735 --> 00:14:29,675 limit analysis of persistent storage devices to 352 00:14:29,675 --> 00:14:32,915 an exterior inspection for damage condition identification 353 00:14:33,275 --> 00:14:36,215 other visible properties in other words when 354 00:14:36,215 --> 00:14:38,195 you get a storage device in to 355 00:14:38,195 --> 00:14:39,575 do forensic analysis 356 00:14:39,635 --> 00:14:41,705 earn it record things like the model 357 00:14:41,705 --> 00:14:44,435 number record the serial number note any 358 00:14:44,435 --> 00:14:48,125 scuffs scratches dense note any dirt or 359 00:14:48,125 --> 00:14:49,925 dust or anything that might be on 360 00:14:49,925 --> 00:14:50,075 it 361 00:14:51,215 --> 00:14:54,665 but then image it take a forensically 362 00:14:54,665 --> 00:14:57,067 sound image of that storage device and 363 00:14:57,067 --> 00:14:59,045 then record the cryptographic hash of the 364 00:14:59,045 --> 00:15:02,345 image do all of your analysis work 365 00:15:02,405 --> 00:15:06,065 on that image secure the original storage 366 00:15:06,065 --> 00:15:08,675 device back into evidence storage make sure 367 00:15:08,675 --> 00:15:11,315 the chain of custody is preserved and 368 00:15:11,327 --> 00:15:14,585 then after completing your analysis rehashed the 369 00:15:14,585 --> 00:15:16,475 image make sure that you didn't accidentally 370 00:15:16,475 --> 00:15:17,795 change the image while you were doing 371 00:15:17,795 --> 00:15:18,485 the analysis 372 00:15:20,195 --> 00:15:22,085 you do have to realize the limitations 373 00:15:22,085 --> 00:15:23,945 of following these best practices though the 374 00:15:23,945 --> 00:15:26,315 first of these is if your friends 375 00:15:26,315 --> 00:15:28,385 examiner working in a lab the first 376 00:15:28,385 --> 00:15:29,645 time you're going to see the evidence 377 00:15:29,645 --> 00:15:31,355 is probably when it shows up in 378 00:15:31,355 --> 00:15:32,705 an evidence bag in your lab 379 00:15:34,085 --> 00:15:36,965 spoliation might have occurred somewhere already in 380 00:15:36,965 --> 00:15:40,205 the previous chain of custody whoever collected 381 00:15:40,205 --> 00:15:41,645 the evidence in the field might have 382 00:15:41,645 --> 00:15:43,955 made a mistake resulting in spoliation 383 00:15:45,188 --> 00:15:47,225 might have had somebody who wasn't technical 384 00:15:47,225 --> 00:15:48,725 who knew they needed to bring back 385 00:15:48,725 --> 00:15:50,885 the hop the hard drive from a 386 00:15:50,885 --> 00:15:53,165 computer let's say specially like a laptop 387 00:15:53,165 --> 00:15:55,925 hard drive that uses glass platters and 388 00:15:55,925 --> 00:15:57,635 they might have thought that breaking the 389 00:15:57,635 --> 00:15:59,465 computer open with a sledgehammer was the 390 00:15:59,465 --> 00:16:01,235 quickest way to get to that might 391 00:16:01,235 --> 00:16:03,485 have damaged the platters says all kinds 392 00:16:03,485 --> 00:16:05,315 of things that can occur upstream 393 00:16:05,315 --> 00:16:06,755 theme that you might not have control 394 00:16:06,755 --> 00:16:06,935 of 395 00:16:07,985 --> 00:16:11,255 if however you are going into the 396 00:16:11,255 --> 00:16:14,105 field to collect evidence follow the national 397 00:16:14,105 --> 00:16:17,885 institutes of justice guidelines for your scene 398 00:16:17,885 --> 00:16:20,315 procedures and ensure that the proper chain 399 00:16:20,315 --> 00:16:23,195 of custody procedures are followed from the 400 00:16:23,195 --> 00:16:26,645 time you collect that evidence until whatever 401 00:16:26,645 --> 00:16:28,115 time that the evidence can finally 402 00:16:28,115 --> 00:16:29,675 be disposed of as directed by the 403 00:16:29,675 --> 00:16:33,061 court i do not i 404 00:16:34,149 --> 00:16:36,515 you do not deviate from good procedure 405 00:16:36,515 --> 00:16:38,705 because any deviation you do has the 406 00:16:38,705 --> 00:16:41,675 potential to change the evidence digital evidence 407 00:16:41,675 --> 00:16:44,585 is by it's nature especially when you're 408 00:16:44,795 --> 00:16:47,015 on consumer devices like the kind that 409 00:16:47,015 --> 00:16:48,605 you're going to encounter in most cases 410 00:16:49,535 --> 00:16:52,385 relatively fragile and i'm saying this because 411 00:16:52,835 --> 00:16:54,275 i had a i had a back 412 00:16:54,305 --> 00:16:56,075 up drive just the other day that 413 00:16:56,645 --> 00:16:57,875 i had plugged in because i was 414 00:16:57,875 --> 00:17:00,245 moving everything to another backup drive and 415 00:17:00,245 --> 00:17:02,135 discovered that the drive had failed so 416 00:17:02,375 --> 00:17:05,015 it can actually be a fragile and 417 00:17:05,075 --> 00:17:06,755 in various unexpected ways 418 00:17:08,345 --> 00:17:09,694 alright finally let me talk about a 419 00:17:09,694 --> 00:17:13,025 few ethics issues related to digital forensics 420 00:17:13,025 --> 00:17:14,585 in general we're going to focus on 421 00:17:14,585 --> 00:17:18,515 spoliation but these principles apply to all 422 00:17:18,515 --> 00:17:20,615 aspects of doing forensics work this is 423 00:17:20,615 --> 00:17:21,935 just a good place to talk about 424 00:17:21,935 --> 00:17:22,115 them 425 00:17:23,345 --> 00:17:26,315 when you're working in a friend's ec 426 00:17:26,345 --> 00:17:30,095 investigative capacity you're typically going to be 427 00:17:30,095 --> 00:17:32,105 working you know unless you're doing like 428 00:17:32,105 --> 00:17:34,805 intrusion detection or or some sort of 429 00:17:34,805 --> 00:17:38,255 mitigation work and you're generally going to 430 00:17:38,255 --> 00:17:40,205 be working for one party or another 431 00:17:40,205 --> 00:17:41,855 in some sort of a court case 432 00:17:41,855 --> 00:17:42,935 in civil cases 433 00:17:43,775 --> 00:17:46,535 are are more likely in your career 434 00:17:46,535 --> 00:17:49,385 probably than criminal ones unless you go 435 00:17:49,385 --> 00:17:51,185 into the criminal justice side of things 436 00:17:51,875 --> 00:17:56,795 and so your ethical duty is generally 437 00:17:56,795 --> 00:17:58,355 going to be to the party that 438 00:17:58,355 --> 00:18:01,565 retained your services in other words if 439 00:18:01,565 --> 00:18:03,635 you're doing an investigation a civil case 440 00:18:03,635 --> 00:18:05,405 case let's say it's some sort of 441 00:18:05,405 --> 00:18:08,975 contested divorce you're representing let's say the 442 00:18:08,975 --> 00:18:11,405 husband and you find evidence there that 443 00:18:11,405 --> 00:18:14,825 the husband has gone and had multiple 444 00:18:14,825 --> 00:18:18,245 affairs you don't turn that over to 445 00:18:18,245 --> 00:18:20,195 the wife he yeah you might tell 446 00:18:20,195 --> 00:18:23,285 the the you know your attorney that 447 00:18:23,345 --> 00:18:23,795 you're working 448 00:18:23,825 --> 00:18:27,725 for that but it's not you're either 449 00:18:27,725 --> 00:18:31,655 responsibility or an ethically okay thing to 450 00:18:31,655 --> 00:18:34,985 do dispel that information to someone else 451 00:18:35,105 --> 00:18:37,625 nk same thing if you are doing 452 00:18:37,625 --> 00:18:39,995 data recovery for example for somebody in 453 00:18:40,595 --> 00:18:42,665 and you you know you find the 454 00:18:42,725 --> 00:18:43,955 nude pictures you can't just go 455 00:18:43,985 --> 00:18:45,995 post them up online somewhere right so 456 00:18:46,265 --> 00:18:49,115 there are some ethical responsibilities here now 457 00:18:49,115 --> 00:18:50,345 where these get a little bit more 458 00:18:50,345 --> 00:18:52,865 challenging is again in the criminal cases 459 00:18:53,045 --> 00:18:55,595 if you are doing forensic work in 460 00:18:55,595 --> 00:18:58,745 criminal cases first of all if you're 461 00:18:58,745 --> 00:19:00,785 the friends examiner which means that you 462 00:19:00,785 --> 00:19:03,035 are working for the prosecutor right you're 463 00:19:03,035 --> 00:19:04,115 on the prosecutions 464 00:19:04,115 --> 00:19:05,795 side if you're the one in the 465 00:19:05,795 --> 00:19:09,035 crime lab doing the analysis you do 466 00:19:09,035 --> 00:19:11,015 have to remember the prosecutor has an 467 00:19:11,015 --> 00:19:14,045 ethical and legal duty under brady to 468 00:19:14,045 --> 00:19:17,555 disclose the exculpatory evidence to the defense 469 00:19:17,675 --> 00:19:21,215 any exculpatory evidence that you find so 470 00:19:21,245 --> 00:19:23,645 if he find exculpatory evidence you have 471 00:19:23,645 --> 00:19:24,275 to notify the 472 00:19:24,275 --> 00:19:26,495 the prosecutor of that because the prosecutor 473 00:19:26,855 --> 00:19:30,095 has to notify the defense now if 474 00:19:30,095 --> 00:19:31,775 you happen to know the prosecutors in 475 00:19:31,775 --> 00:19:33,905 doing that if you say okay prosecutor 476 00:19:33,905 --> 00:19:37,295 you know i found this exculpatory evidence 477 00:19:37,295 --> 00:19:40,015 my my analysis says you know that 478 00:19:40,015 --> 00:19:41,945 that there's no way that this crime 479 00:19:41,945 --> 00:19:43,835 could have occurred in this way and 480 00:19:43,835 --> 00:19:44,435 the prosecute 481 00:19:44,435 --> 00:19:46,205 eaters like oh don't worry about it 482 00:19:46,205 --> 00:19:48,455 just keep hush hush about it then 483 00:19:48,455 --> 00:19:50,525 you actually have an ethical duty whether 484 00:19:50,525 --> 00:19:51,515 or not you have a legal one 485 00:19:52,145 --> 00:19:54,695 to report the prosecutor's conduct to the 486 00:19:54,695 --> 00:19:56,675 court okay you don't reported to the 487 00:19:56,675 --> 00:19:58,595 defense but to the court 488 00:19:59,975 --> 00:20:01,925 and you have this responsibility even if 489 00:20:01,925 --> 00:20:03,725 the defendant appears guilty i mean even 490 00:20:03,725 --> 00:20:05,285 if you find all the evidence on 491 00:20:05,285 --> 00:20:06,965 the system that really points to the 492 00:20:06,965 --> 00:20:10,145 defendant doing something heinous you still have 493 00:20:10,145 --> 00:20:12,155 an obligation to ensure that brady is 494 00:20:12,155 --> 00:20:12,575 upheld 495 00:20:14,125 --> 00:20:14,935 an ethical one 496 00:20:16,675 --> 00:20:19,765 now obviously and this should go without 497 00:20:19,765 --> 00:20:23,005 saying but fabrication or outright manipulation of 498 00:20:23,005 --> 00:20:26,215 the evidence is unethical no matter how 499 00:20:26,215 --> 00:20:28,285 guilty you think the defendant may be 500 00:20:28,345 --> 00:20:30,595 so you might not find anything exculpatory 501 00:20:30,595 --> 00:20:32,695 about the defendant but you might find 502 00:20:32,695 --> 00:20:34,405 evidence that yeah this person did it 503 00:20:34,405 --> 00:20:35,605 and what they did was really really 504 00:20:35,605 --> 00:20:36,205 bad could 505 00:20:36,205 --> 00:20:38,305 i have been child abuse or murder 506 00:20:38,305 --> 00:20:39,205 or something like that 507 00:20:40,945 --> 00:20:43,855 in that situation you still cannot fabricate 508 00:20:43,855 --> 00:20:46,675 the evidence okay or manipulate the evidence 509 00:20:47,425 --> 00:20:49,675 one it's highly unethical and you need 510 00:20:49,675 --> 00:20:52,495 to follow good ethical practices too and 511 00:20:52,495 --> 00:20:54,385 a lot of jurisdictions it's actually criminal 512 00:20:54,385 --> 00:20:55,795 to do something like that and you 513 00:20:55,795 --> 00:20:57,445 could find yourself with a government funded 514 00:20:57,445 --> 00:20:58,105 vacation 515 00:21:00,115 --> 00:21:02,275 now what happens in a criminal case 516 00:21:02,275 --> 00:21:03,985 if you're attained by the defense well 517 00:21:04,405 --> 00:21:06,385 your ethical duties are the defendant the 518 00:21:06,385 --> 00:21:08,695 defendant may be the sleaziest person you've 519 00:21:08,695 --> 00:21:10,705 ever met or ever heard of if 520 00:21:10,705 --> 00:21:12,955 you don't meet the defendant but you 521 00:21:12,955 --> 00:21:14,965 still have an ethical obligation to look 522 00:21:14,965 --> 00:21:17,785 for weaknesses in the prosecution's forensic analysis 523 00:21:18,085 --> 00:21:19,405 check for any spoliation 524 00:21:19,435 --> 00:21:21,445 and the evidence and do all of 525 00:21:21,445 --> 00:21:24,235 the things that you would do to 526 00:21:24,235 --> 00:21:26,935 try to identify any holes that might 527 00:21:26,935 --> 00:21:28,255 be in the case because you have 528 00:21:28,255 --> 00:21:30,805 a duty to help the defense attorney 529 00:21:32,335 --> 00:21:33,805 now you might say i do not 530 00:21:33,805 --> 00:21:35,455 want to help a defense attorney who's 531 00:21:35,455 --> 00:21:37,705 representing somebody did something heinous like murder 532 00:21:38,095 --> 00:21:40,645 while he probably shouldn't go into this 533 00:21:40,645 --> 00:21:42,265 line of work done okay if you're 534 00:21:42,505 --> 00:21:44,005 the at least not on on that 535 00:21:44,005 --> 00:21:46,345 side of it because you do have 536 00:21:46,345 --> 00:21:47,725 some ethical obligations there 537 00:21:49,285 --> 00:21:52,495 it is unethical despoliation evidence intentionally once 538 00:21:52,495 --> 00:21:56,455 again and remember when we come back 539 00:21:56,455 --> 00:21:58,585 to these ethical statements and is ethical 540 00:21:58,585 --> 00:22:00,475 whoa why am i helping out a 541 00:22:00,475 --> 00:22:02,455 murderer if i'm representing the defense 542 00:22:03,595 --> 00:22:05,845 remember that our system of justice in 543 00:22:05,845 --> 00:22:07,255 the united states is based on the 544 00:22:07,255 --> 00:22:10,765 british system it's an adversarial system both 545 00:22:10,765 --> 00:22:12,655 sides work against each other and the 546 00:22:12,655 --> 00:22:14,995 finder of fact generally a jury is 547 00:22:14,995 --> 00:22:17,665 going to make the decision about which 548 00:22:17,665 --> 00:22:18,805 side prevails 549 00:22:19,975 --> 00:22:23,125 the system only works properly when both 550 00:22:23,125 --> 00:22:27,055 sides uphold their ethical obligations when both 551 00:22:27,055 --> 00:22:28,765 sides do what they're supposed to do 552 00:22:29,545 --> 00:22:31,405 if the defense is like shit he 553 00:22:31,405 --> 00:22:33,355 added this person's really guilty i'm not 554 00:22:33,355 --> 00:22:34,585 going to represent them i'm going to 555 00:22:34,585 --> 00:22:36,745 do a really bad job you run 556 00:22:36,745 --> 00:22:39,085 the risk of them being wrong in 557 00:22:39,085 --> 00:22:40,045 an innocent person 558 00:22:40,045 --> 00:22:42,085 going to prison so you need to 559 00:22:42,085 --> 00:22:44,005 think about the types of things that 560 00:22:44,005 --> 00:22:47,755 can happen if people didn't follow these 561 00:22:47,755 --> 00:22:51,055 very strict ethical guidelines and make sure 562 00:22:51,055 --> 00:22:52,855 you uphold your ethical obligations 563 00:22:54,085 --> 00:22:57,085 alright so to summarize spoliation the destruction 564 00:22:57,085 --> 00:22:59,455 alteration or failure to preserve evidence for 565 00:22:59,455 --> 00:23:01,765 use in ongoing or foreseeable future court 566 00:23:01,765 --> 00:23:02,365 cases 567 00:23:03,925 --> 00:23:06,895 specific sanctions for spoliation exist in civil 568 00:23:06,895 --> 00:23:10,405 procedure spoliation in criminal cases is murkier 569 00:23:10,405 --> 00:23:12,055 but can have adverse outcomes on the 570 00:23:12,055 --> 00:23:12,565 case 571 00:23:13,915 --> 00:23:17,005 you should avoid spoliation by following good 572 00:23:17,005 --> 00:23:20,035 friends at practices and uphold your ethical 573 00:23:20,035 --> 00:23:23,545 obligations as a technology professional and if 574 00:23:23,545 --> 00:23:24,625 you'd like to read more about the 575 00:23:24,625 --> 00:23:27,355 cases that i've cited here or some 576 00:23:27,355 --> 00:23:28,645 of the other things that are related 577 00:23:28,645 --> 00:23:31,585 to spoliation here's some reading of a 578 00:23:31,585 --> 00:23:32,875 lot of this is more on the 579 00:23:32,875 --> 00:23:33,775 legal side 580 00:23:33,805 --> 00:23:35,245 because this is part of the kind 581 00:23:35,245 --> 00:23:37,915 of the legal framework of forensics component 582 00:23:37,915 --> 00:23:39,235 that we talk about in this course 583 00:23:39,595 --> 00:23:42,145 but it could be interesting if you're 584 00:23:42,145 --> 00:23:44,035 interested in that type of material